55

I am using Amazon's tutorial for installing a LAMP server. The first several instructions involve using yum, but every single way I have tried to do it has resulted in the same message. I have found a few other recent questions about the same issue, none of which change anything on my setup.

Here is the message:

Loaded plugins: priorities, update-motd, upgrade-helper
Could not retrieve mirrorlist http://repo.us-east-1.amazonaws.com/latest/main/mirror.list error was
12: Timeout on http://repo.us-east-1.amazonaws.com/latest/main/mirror.list: (28, 'Connection timed out after 10001 milliseconds')


One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Disable the repository, so yum won't use it by default. Yum will then
    just ignore the repository until you permanently enable it again or use
    --enablerepo for temporary usage:

        yum-config-manager --disable <repoid>

 4. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

 Cannot find a valid baseurl for repo: amzn-main/latest

I have done this same thing before without running into any problems, using the same tutorial, but it was several months ago. I don't know what has changed but my meager experience is keeping me from figuring it out.

Andrew Johnson
  • 688
  • 1
  • 6
  • 9

22 Answers22

52

Looks like the host is having trouble contacting the yum server. Make sure the instance has outbound internet access (check security groups etc). If the instance is in a VPC and the security groups look good you may need to use a nat appliance or attach an elastic IP.

Good luck-

chadneal
  • 686
  • 6
  • 8
  • 4
    in my case i unchecked "Automatically assign a public IP address to your instances" while creating the instance. – munna_1 May 12 '14 at 15:09
  • 2
    In addition to Chadneal's answer. In case you created a custom/new security group then check and configure the outbound traffic for your instance. – Rites Oct 17 '14 at 05:07
  • 1
    check you don't have a rule in iptables which might be causing problems – JasonPlutext Jan 13 '15 at 23:31
  • 2
    did not have outbound internet access – Kishor Pawar Aug 09 '16 at 13:42
  • Not sure about munna_1's comment, I had to do exactly the opposite. Without a public IP address (and no NAT) the instance cannot connect to the public internet. – Nick Dec 03 '16 at 15:48
  • In my case, I had my instances in Public subnet, and Public Subnet was connected to Load Balancer which was connect to InternetGateway (no NAT). I require to assign **public IP** to my instances in order to run `YUM` command to do different installations. I had AutoLaunchConfiguration Script which launch instances automatically, so I enabled "*Assign Public IP to each instances at launch*" option in my Launch Configurations. – Hannan Jul 27 '18 at 07:44
  • (For specific details, see davetw12's comment below.) – CyclingDave Oct 07 '20 at 13:11
25

If you have an S3 endpoint on your VPC then this will cause yum to fail as repo file is stored in S3. To fix this add the following policy to S3:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "*",
        "Resource": [
            "arn:aws:s3:::repo.eu-west-1.amazonaws.com",
            "arn:aws:s3:::repo.eu-west-1.amazonaws.com/*"
        ]
    }
]
}

Replace eu-west-1 with the relevant region code that your S3 endpoint is in.

phill.tomlinson
  • 816
  • 10
  • 12
  • Thank you for this, this was exactly my issue! If your problem was like mine, you probably don't just need access to repo.whatever, you probably also need access to packages.whatever too. So instead, I'm using an acl like this: ```{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::*.amazonaws.com", "arn:aws:s3:::*.amazonaws.com/*" ] } ] }``` – tamale Jun 17 '16 at 16:46
  • Adding this policy to the "S3 Endpoint in VPC" to be exact. I actually have a policy that allows all resources, all principals, all actions. And still during boot instances would timeout to install packages. – Evgeny Apr 21 '17 at 12:08
  • 2
    To complement: https://aws.amazon.com/amazon-linux-ami/faqs/#vpc-endpoint on :: How do I configure a VPC endpoint to allow connections to the Amazon Linux AMI repositories? – ericson.cepeda Jul 05 '17 at 21:06
  • Could you please briefly explain or post a link on how to edit this policy? Thank you! – Thomas May 03 '18 at 21:56
  • Thanks! I struggled for several hours why I couldn't even ping the yum repo. Adding your policy fixed it. – Jeff of Brooklyn Nov 14 '18 at 15:46
  • I created a new instance with a random AWS-assigned ip and could not access repo. Solved this by temporarily assigning an existing eip and it worked, since that eip was configured in our firewall. – nettie Jan 29 '19 at 19:24
16

A lot of first time users of Amazon EC2 run into this issue. In my experience, it's usually the result of not setting the allowed outgoing connections on their instance's security group. The tutorial that Amazon has for configuring Amazon Linux instances only mentions setting the Incoming connections so it's easy to forget that you never set the allowed outgoing ones. Simply allowing HTTP and HTTPS requests to any IP Address should fix the issue.

davetw12
  • 1,627
  • 1
  • 19
  • 26
  • Even I had the same issue. I added `HTTP` and `HTTPS` requests to any ip address in `Outbound` rules. Then I rebooted the instance and I had the same error. You can check my question here: http://stackoverflow.com/questions/33125410/unable-to-connect-to-amazon-ec2-instance-via-putty – Ajay Kulkarni Oct 15 '15 at 08:00
  • 1
    Correct me if I'm wrong, but Security Groups are stateful in AWS, meaning that anything setup in inbound traffic also does the same for outbound traffic. I suppose though, if you had this tied to your single IP address, then it wouldn't work in the outbound mode, maybe? – AspiretoCode Aug 18 '17 at 02:46
  • @AspiretoCode I totally agree with you – lft93ryt Nov 04 '17 at 23:55
  • By default, security groups allow all outbound traffic. – jarmod Mar 18 '19 at 17:42
  • @AspiretoCode yes they are stateful, so you can define an incoming security group and it will let traffic in and the same traffic out again. It won't let traffic out that starts from inside the instance. For that you have to add an outgoing "Egress" group. – CyclingDave Feb 03 '20 at 09:32
  • @jarmod by default there is an outgoing security group that allows all traffic, but if you build a new security group yourself, for example with Terraform, that default won't be there unless you explicitly add it. – CyclingDave Feb 03 '20 at 09:32
  • @CyclingDave Interesting, that seems like a Terraform-specific thing. When you create a new (VPC) security group from any one of the AWS console, the awscli, SDK (I used boto3), or CloudFormation, it is auto-populated with one egress rule allowing all traffic, all protocols, to 0.0.0.0/0. – jarmod Feb 03 '20 at 14:42
  • @davetw12 thanks a lot for your answer. It solved my issue. – Bharathi Raja Paramanantham Mar 23 '21 at 10:38
6

I have the same problem and was related to name resolution. I used the following to correct:

EC2 instance has no public DNS

This is the good explanation from Mat:

  • Go to console.aws.amazon.com
  • Go To Services -> VPC
  • Open Your VPCs
  • select your VPC connected to your EC2 and
  • Edit Summary ---> Change DNS hostnames: to YES
Community
  • 1
  • 1
Valladão
  • 174
  • 2
  • 12
2

just assign the default security group along with the one you may have created. This solved my problem. ;)

Hussain AlQatari
  • 129
  • 1
  • 5
2

I had the same problem, turns out another sysadmin decided to route outbound internet traffic through a proxy. I found this by noticing some wearied proxy env settings, dug a little deeper, and then noticed an entry in my /etc/yum.conf file.

Commented out the proxy= line and all worked again.

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
#proxy=http://pos-proxy-in-my-way-of-doing-actual-real-work:666
ElasticThoughts
  • 3,208
  • 6
  • 41
  • 55
2

Check if your outbound entries are deleted/modified from assigned Security group. Normally Outbound entries are set to "All traffic" and allow any IP.

In my case, outbound was deleted. I again set to "All traffic" and it works.

Amit Baderia
  • 1,172
  • 10
  • 12
1

With chadneal's comment. It is necessary to set the DNS Resolution to Yes.

  • Go to console.aws.amazon.com
  • Go To Services -> VPC
  • Open Your VPCs
  • Select your VPC connected to your EC2
  • Click Edit DNS Resolution and set it Yes
Yoonian
  • 487
  • 10
  • 13
  • It's not the same. > DNS resolution: Indicates whether instances launched in this VPC get DNS hostname. > DNS hostnames: Indicates whether DNS resolution is supported for this VPC. If 'no', the AWS-provided DNS server that resolves public DNS hostnames to IP addresses is not enabled. – Yoonian Oct 08 '18 at 11:21
1

Loaded plugins: priorities, update-motd, upgrade-helper Could not retrieve mirrorlist http://repo.us-east-1.amazonaws.com/latest/main/mirror.list error was 12: Timeout on http://repo.us-east-1.amazonaws.com/latest/main/mirror.list: (28, 'Connection timed out after 10001 milliseconds')

One of the configured repositories failed (Unknown), and yum doesn't have enough cached data to continue. At this point the only safe thing yum can do is fail. There are a few ways to work "fix" this:

  1. Contact the upstream for the repository and get them to fix the problem.

  2. Reconfigure the baseurl/etc. for the repository, to point to a working upstream. This is most often useful if you are using a newer distribution release than is supported by the repository (and the packages for the previous distribution release still work).

  3. Disable the repository, so yum won't use it by default. Yum will then just ignore the repository until you permanently enable it again or use --enablerepo for temporary usage:

    yum-config-manager --disable <repoid>

  4. Configure the failing repository to be skipped, if it is unavailable. Note that yum will try to contact the repo. when it runs most commands, so will have to try and fail each time (and thus. yum will be be much slower). If it is a very temporary problem though, this is often a nice compromise:

    yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: amzn-main/latest

Same error I was also having from last week tried almost everything but not able to install server and start httpd service.

Resolved it by just allowing all traffic IN/OUT to and From Security Group and NACL... try it it will be resolved defiantly.

sunil mehta
  • 11
  • 1
1

Go to the security group for which EC2 is configured. And verify the below fields in its Inbound rules.If these below fields are not there then add it by clicking on button Edit inbound rules.

  1. Type-: All traffic
  2. Protocol-: All
  3. Port range-: All
  4. Destination-: 0.0.0.0/0

Hope this would resolve the issue.

SADIQUE SHAMIM
  • 438
  • 4
  • 7
0

Also, if you are unable to get any DNS working, check your DHCP options set. I had left an old one in place, and when I cleaned up a project involving active directory integrations, it broke. The answer is simply to change back to the original/saved options.

Kent L. Estes
  • 1
0

I was getting the same exact error message for yum as described in the question. In my case I had a NACL that allowed all outgoing traffic but restricted incoming traffic to HTTP/HTTPS, SSH and All ICMP. Since NACLS are stateless attempting to run yum failed as incoming ephemeral connections that yum uses were not explicitly allowed and were therefore dropped.

logan5
  • 1
0

The problem can occur at both levels Security Groups and NACLs. In my case, I figured out that even after modifying the security group, the update failed. However, when the NACLs were modified.. the update was successful

Ambar Hassani
  • 1
0

I ran the following command with sudo (can't do yum alone if you're not root) and it fixed the issue.

yum-config-manager --save --setopt=dev.mysql.com_downloads_repo_yum_.skip_if_unavailable=true

 

Phani Kumar M
  • 4,405
  • 1
  • 11
  • 25
EC2newbie
  • 1
0

I had the same problem. In my case, I mistakenly deleted the outbound rules of my security group. Adding outbound rule to allow all traffic solved the problem.

Gaurav Seth
  • 147
  • 2
  • 9
0

please follow the below step

Step 1 : go to AWS-VPC

Step 2 : find DHCP option

Step 3 : if you dont have any DHCP options create a new DHCP

Step 4 : add domaine name = ap-south-1.compute.internal (if your using other region please use other regionname)

Step 5 : add domain name server = AmazonProvidedDNS

Step 6 : then select your VPC --> actions -->edit your DHCP option set --> Select DHCP set which you just created --> Save

Step 7 : Then Reboot your Instance

Step 8 : Login Your Instance then Just type yum list installed --> It will defiantly give you the list of installed things

Thank you

sachin_ur
  • 1,426
  • 12
  • 23
0

don't worry this is simple error. this is not connect internet also.

just to create new file with vi editor:

vi /etc/resolv.conf

nameserver 8.8.8.8
nameserver 8.8.4.4

and then type this to quit vi: :wq

JoSSte
  • 2,210
  • 5
  • 25
  • 40
user10944771
  • 9
  • 1
0

I am using the default VPC and DNS host resolution is enabled by default; wasn't my issue. I followed the advice to add the default security group and that resolved my issue.

Erick
  • 37
  • 1
  • 6
0

If you're using NACL on the subnet were the EC2 is located.


Quick fix

You will have to open inbound Ephemeral ports for this yum update.

For example adding the #100 inbound rule below:

enter image description here

Notice that this is still necessary even if the outbound rules allow all traffic:

enter image description here

Why did have to do this?

  1. When yum opens an outbound connection on ports like 80/443 it comes back at a random high port (Ephemeral port).

  2. Network ACLs are stateless (not like Security groups) and will not allow returned connection on the same port by default.

You can read more in here.

RtmY
  • 7,115
  • 6
  • 51
  • 64
0

ACL in your vpc differs from the instances inbound or outbound rules. I see the vpc's acl get people every day multiple times.

Andrew Hude
  • 1
-1

I experienced the very same issue but the problem was not my Security Group or NACL.

Background: I added a domain name via Route53. The domain name continues to be hosted with DiscountASP.net. The VPC was created manually (no wizard or default). I created a DHCP Option Set with my domain name and the 4 servers IP addresses given to me by Route53.

Analysis: First, I needed to prove that the problem was not the Security Group or the NACL. I did this by attatching the default DHCP Option Set to my new VPC. It worked! I could do the yum update and "curl http://www.google.com". No problem.

I then created a new DHCP Option Set using my domain name and the Google DNS Servers. 8.8.8.8 & 8.8.4.4 This also worked.

I then took 1 of the 4 DNS Servers IPs provided by Route 53 and used it with my domain name in a new DHCP Option Set. I ran a test and it failed. I repeated the same test with 2 of the remaining 4 DNS Servers IPs, creating two separate DHCP Option Sets. I ran tests and they both failed.

After checking the spelling of my domain name I could only conclude that the problem was the domain name servers.

Solution: Amazon Virtual Private Cloud User Guide (PDF page 222) Amazon DNS Server (Sub topic)

"When you create a VPC, we automatically create a set of DHCP options and associate them with the VPC. This set includes two options: domain-name-servers = AmazonProvidedDNS, and domain-name=domainname-for-your-region. AmazonProvidedDNS is an Amazon DNS server, and this option enables DNS for instances that need to communicate over the VPC's Internet gateway. The string AmazonProvidedDNS maps to a DNS server running on a reserved IP address at the base of the VPC IPv4 network range, plus two. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2."

From page 221: DHCP: domain-name-servers

Option Name Description "The IP addresses of up to four domain name servers, or AmazonProvidedDNS. The default DHCP option set specifies AmazonProvidedDNS. If specifying more than one domain name server, separate them with commas."

The IP addresses that its referring to are for external domain name servers (excluding the possibility you have created a custom DNS).

So I created my final DHCP Option Set using my domain name and domain-name-servers=AmazonProvidedDNS. It worked! By the way the VPC DNS Resolution = yes & DNS Hostname = no.

Ananize Scott
  • 783
  • 1
  • 7
  • 9
-4

Hay! Here is perfect answer i found

go to outbound rules add

All Traffic

That's it

Mallikarjuna Reddy
  • 1